Instability with signals and threads

Corinna Vinschen
Thu Nov 20 10:00:00 GMT 2014

Hi Mikulas,

On Nov 19 17:42, Mikulas Patocka wrote:
> Hi
> I have a program that sets a repetitive timer with setitimer and spawns 
> several threads.
> The program is very unstable on cygwin, it locks up in few minutes.
> The bug manifests itself in the following way: the signal thread calls 
> cygheap->find_tls to find a thread to deliver the signal to. find_tls 
> generates an exception when scanning the threadlist, jumps to the __except 
> block and calls threadlist[idx]->remove(INFINITE).
> The method threadlist[idx]->remove is called with invalid "this" pointer 
> (sometimes it is zero, sometimes it points to unmapped memory), generates 
> another exception on "initialized = 0" line and becomes stuck on this 
> assignment.

Now that you mention it, it makes sense.  The exception gets triggered
by accessing an invalid member of threadlist.  Using the very same
member in another method call looks.... borderline, to say the least.

> I found out that when I modify the remove_tls method so that it always 
> acquires the lock and removes the thread from the threadlist (change 
> "tls_sentry here(wait)" to "tls_sentry here(INFINITE)"), the bug goes away 
> and the multithreaded program is stable.

[Noted your augmenting comment preceeding the testcase in your other mail]

> Alternativelly - the crash can be fixed if we change "_my_tls.remove (0)" 
> to "_my_tls.remove (INFINITE)" in thread_wrapper (though, there is another 
> _my_tls.remove (0) call in dll_entry in winsup/cygwin/ and it could 
> trigger the same crash)

I don't think so.  In dll_init, the call is done inside a DLL_THREAD_DETACH
for this very thread, so &_my_tls is still a valid pointer.

> I'd like to ask - what's the reason for not waiting for the lock in 
> remove_tls? If the lock is already locked, remove_tls does nothing - but 
> the _cygtls structure is freed anyway, so that there is dangling pointer 
> no the thread list. Do you think that we can drop this "wait" argument and 
> always wait for the lock in remove_tls?

Unfortunately I can't tell you about the reasoning behind this.  The guy
who created this code has left the project, so we just have to work with
the status quo.

> Another possible bug - when find_tls exits, it drops the tls_sentry lock 
> and returns the pointer to _cygtls. What happens if the thread owning the 
> tls exits at this point? It seems that there is nothing that prevents it 
> from exiting and that the caller of find_tls (sigpacket::process) will 
> work with a pointer to invalid thread. It seems that we need to add some 
> reference count to _cygtls to prevent it from disappearing while we are 
> trying to send a signal to it. (or keep tls_sentry::lock locked until 
> sigpacket::process is done with the signal, though I don't know if keeping 
> the lock for so long won't cause deadlocks).

I'm going to investigate this in the next couple of days.  However,
since you're obviously willing and able to debug this situation
yourself, I would very much appreciate your further input.  If you have
any fun to provide patches to Cygwin, please feel free to read and follow up on the cygwin-developer
and cygwin-patches mailing lists.  The copyright assignment is still
required for non-trivial patches (~10 lines rule).  I hope that's ok.

Thanks a lot,

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <>

More information about the Cygwin mailing list